The Great PayPal Email Hack That Wasn’t
This past Saturday, as I headed into town for a concert, I stopped to check my email and found two messages from PayPal UK, saying someone had set up an account, and added a mailing address, with my gMail address. Well, almost my gMail address. Instead of the gmail.com domain, they’d used googlemail.com as the domain. I assumed it to be some kind of phishing scam, logged into my PayPal, changed the password and removed my gMail address from the account for safety. Then, to be sure, I forwarded the emails to PayPal’s spoof checking address. Content I’d done the right thing, I hopped the subway and was soon having my eardrums split open by the Buzzcocks.
Still a bit concerned, the next day I initiated a password reset of the account with the googlemail.com email. I got the password reset email with a verification code. Upon providing the code, I was asked to send a message to a strange phone number. Weird. When I logged into my PayPal, everything looked kosher. No new addresses, no new emails, no new phone numbers. My account was untouched, as far as I could tell. Later in the day, I got an email saying the new account was “ready to shop” and that’s when I called PayPal.
It took some explaining. This wasn’t just “my account has been compromised.” This was someone creating a brand new account with an alias of my email address. Known to me, but unbeknownst to PayPal, is that gmail.com and googlemail.com are aliases of each other. If you have gMail, and send a message to yourusername@googlemail.com, it will show up in your gmail.com inbox. Since my gmail.com address was on my account as a secondary email, if PayPal knew the two domains were equivalent, the stranger should have gotten an error. What really confused me was that they were able to log in, add an address, phone number, and credit card to their account. Which lead me, and the first manager I spoke with at PayPal, to conclude my gMail had been hacked.
This seemed impossible. I have a huge, complicated 1Password-generated Google account password. I use two-factor authentication. Google showed no unusual login activity, or anything of that nature. Even if someone had access to my Google account, I can think of a million more interesting, useful, and subtle ways to use it than to set up a new PayPal account. In any case, I changed my Google password, re-set up two-factor authentication, and revoked all third-party access to my account. That was Sunday night, and I went to bed paranoid and angry.
Monday, while at work, I figured I’d try again. Knowing they had a phone number on the account, I hoped I could reach someone who could try to contact the ersatz account holder. I called PayPal and began trying to get help via angry messages on Twitter. Multi-tasking, as best I could, I spoke with a manager on PayPal’s fraud team and someone on the AskPayPal Twitter account, trying to explain the situation and see what could be done. Both agreed to contact the person in the UK, and it looked like the AskPayPal person got to them first. I got one final email, saying the account was deleted, and that was it.
Turns out, it was a fat-fingered email address after all, and the account wasn’t actually activated and verified. I gave myself a full security audit for nothing, it seems.
Part of my anger and paranoia was that this came hot on the heels of the iCloud security nightmare. The other was the incredulity of the people I spoke to at PayPal, and the lunacy that they were unaware that gmail.com and googlemail.com were aliases, and had been for the better part of a decade. At least, now that it’s sorted out, I’ve added my gMail account back to my PayPal account with both domains, just to make sure this can’t happen again. I covered my bases, and did everything right. Someone else dropped the ball on account and data verification, leaving me to wonder if I’d left a hole somewhere in my defenses.
When a user’s sense of security can be violated by someone else mistyping their email address, it’s the fault of the company whose security the user has put their trust into. Sure, it’s also a limitation of email, as a technology, but a known limitation that should be worked around. Why was this person able to even interact with PayPal, adding their personal data, without verifying their email first? Because of that lapse, I had access to the personal data of a stranger: their name, their mailing address, the last four digits and brand of their credit card. Information I neither need or want. In this paranoid age, companies—ones that handle our finances, especially—must be on top of the dangers. What happened to me, and to my mysterious UK stranger, is unacceptable.